b"Audit Report\n\n\n\n\nOIG-13-053\nTERRORIST FINANCING/MONEY LAUNDERING: FinCEN\xe2\x80\x99s BSA\nIT Modernization Program Was within Budget and on Schedule\nBut Users Suggest Enhancements\nSeptember 25, 2013\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cThis Page Intentionally Left Blank.\n\x0cContents\n\nAudit Report\n\n  Results in Brief ............................................................................................ 3\n\n  Findings ..................................................................................................... 4\n\n      BSA IT Mod Program Was within Budgeted Costs with One Milestone\n      Remaining .............................................................................................. 4\n\n      BSA IT Mod Is Generally Meeting User Needs But Users Suggest Further\n      Enhancements ........................................................................................ 9\n\n      Oversight of BSA IT Mod Continued .......................................................... 14\n\n  Recommendations ....................................................................................... 16\n\nAppendices\n\n  Appendix     1:      Objectives, Scope, and Methodology ......................................              19\n  Appendix     2:      Additional Background Information on BSA IT Mod ...................                    22\n  Appendix     3:      Management Response .........................................................          25\n  Appendix     4:      Major Contributors to this Report ............................................         27\n  Appendix     5:      Report Distribution ................................................................   28\n\nAbbreviations\n\n  BCR                  baseline change request\n  BSA                  Bank Secrecy Act\n  BSA Direct           BSA Direct Retrieval and Sharing\n  BSA IT Mod           BSA Information Technology Modernization Program\n  CIO                  Chief Information Officer\n  FinCEN               Financial Crimes Enforcement Network\n  H. Rept.             House Report\n  IRS                  Internal Revenue Service\n  IT                   Information Technology\n  MITRE                MITRE Corporation\n  OCIO                 Office of the Chief Information Officer\n  OIG                  Office of Inspector General\n  SOR                  system of record\n  TEOAF                Treasury Executive Office of Asset Forfeiture\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule             Page i\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0cThis Page Intentionally Left Blank.\n\x0c                                                                                      Audit\nOIG\nThe Department of the Treasury\n                                                                                      Report\nOffice of Inspector General\n\n\n\n\n                      September 25, 2013\n\n                      Jennifer Shasky Calvery, Director\n                      Financial Crimes Enforcement Network\n\n                      The Financial Crimes Enforcement Network (FinCEN) administers\n                      the Bank Secrecy Act (BSA), which established the framework to\n                      combat criminal use of the financial system. BSA requires financial\n                      institutions to report certain financial transactions made by their\n                      customers. FinCEN oversees the management, processing, storage,\n                      and dissemination of BSA data. In November 2006, FinCEN began\n                      a system development effort, the BSA Information Technology\n                      Modernization Program (BSA IT Mod), to improve the collection,\n                      analysis, and sharing of BSA data. The intent of the effort was,\n                      among other things, to transition BSA data from the Internal\n                      Revenue Service (IRS) to FinCEN. BSA IT Mod is estimated to cost\n                      $120 million and is to be completed in 2014.\n\n                      Pursuant to a Congressional directive, we conducted the fourth in a\n                      series of audits of FinCEN\xe2\x80\x99s BSA IT Mod. 1 Consistent with the\n                      Congressional directive, the objectives of the audit were to\n                      determine if FinCEN is (1) meeting cost, schedule, and performance\n                      benchmarks for the program and (2) providing appropriate oversight\n                      of contractors. We also assessed any deviations from FinCEN\xe2\x80\x99s\n                      plan. The period covered by this audit was January through June\n                      2013. We interviewed FinCEN program officials, Treasury\xe2\x80\x98s Office\n\n1\n  House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including contractor\noversight and progress regarding budget and schedule, semiannually. Our prior three reports issued\nunder this directive are FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and Within Cost But\nRequires Continued Attention to Ensure Successful Completion (OIG-12-047; Mar. 26, 2012); FinCEN\xe2\x80\x99s\nBSA IT Modernization Program Is Meeting Milestones, But Oversight Remains Crucial (OIG-12-077;\nSep. 27, 2012); FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with Schedule Extensions\n(OIG-13-036; Mar. 28, 2013).\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 1\n                      But Users Suggest Enhancements (OIG-13-053)\n\x0c                       of Chief Information Officer (OCIO) officials, and a number of BSA\n                       IT Mod system users. We interviewed representatives from Deloitte\n                       Consulting, LLP (Deloitte), and MITRE Corporation (MITRE), the\n                       contractors involved with the program. 2 We also reviewed\n                       applicable program documentation. We performed our fieldwork\n                       from April 2013 through July 2013. Appendix 1 provides a more\n                       detailed description of our audit objectives, scope, and\n                       methodology. Appendix 2 provides additional background\n                       information on BSA IT Mod, including its component projects.\n\n                       In March 2013, we reported on FinCEN\xe2\x80\x99s BSA IT Mod as of\n                       December 2012. 3 We found that BSA IT Mod program was\n                       proceeding mostly on schedule and within budgeted cost. Program\n                       development met all major milestones but the planned completion\n                       dates for certain projects were extended when project staffing\n                       resources were re-allocated to resolve data quality issues. Although\n                       the program as a whole was within budget, the costs for some\n                       discrete projects exceeded initial budgeted amounts. We also\n                       reported that FinCEN tested the performance of BSA IT Mod\n                       projects that were completed as of our review, and resolved\n                       significant issues identified during testing. Additionally, we\n                       reported that FinCEN users began experiencing performance issues\n                       with the FinCEN Query tool, 4 including searches yielding\n                       incomplete data. FinCEN attributed this problem to the search\n                       engine software and resolved the problem shortly after our\n                       fieldwork was completed. We cautioned in our March 2013 report\n                       that risks remained to BSA IT Mod, including the interdependency\n                       between the component projects. Another risk we identified was\n                       the differences among users\xe2\x80\x99 needs and how FinCEN must\n                       consider, prioritize, and accommodate those needs. Some users\n                       also reported that BSA IT Mod features were challenging to use.\n\n\n\n\n2\n  FinCEN contracted with Deloitte to oversee the systems development and integration effort. Deloitte is\nthe prime contractor in the BSA IT Mod effort. FinCEN also engaged MITRE as a subject matter expert\non program and project management and BSA IT Mod business capabilities. MITRE is a not-for-profit\norganization chartered to work in the public interest with expertise in systems engineering, information\ntechnology, operational concepts, and enterprise modernization.\n3\n  FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with Schedule Extensions (OIG-13-036;\nMar. 28, 2013).\n4\n  FinCEN Query is used by FinCEN internal users and by registered external users and customers to\nretrieve and analyze BSA data.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule    Page 2\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0cResults in Brief\n                       As of June 2013, we found that the BSA IT Mod program was\n                       within budgeted costs and that all planned milestones were\n                       completed except one, the Broker Information Exchange project. 5\n                       The schedule for this milestone, the last one for the BSA IT Mod\n                       program, was modified to incorporate phases and adjusted from\n                       April 2013 to April 2014 because of a reorganization of FinCEN\n                       that required additional time to define the project\xe2\x80\x99s requirements\n                       and align with the new organization areas and priorities.\n\n                       FinCEN Query users from law enforcement and regulatory agencies\n                       we interviewed were generally satisfied with the system, but\n                       expressed some limitations and suggested enhancements. FinCEN\n                       analysts we interviewed told us that Advanced Analytics 6 met their\n                       needs though it was somewhat complex and believed additional\n                       training would be beneficial.\n\n                       The BSA IT Mod program had progressed from the development\n                       phase to the operations and maintenance phase. That said, there\n                       was a continued risk to the remaining project development work\n                       with the program\xe2\x80\x99s high-level of dependency between its\n                       component projects. The effect of programming changes in any\n                       component could require programming changes to other\n                       components of the system. Another risk is how users\xe2\x80\x99 needs differ\n                       and how FinCEN must consider, prioritize, and accommodate those\n                       differences. In this regard, FinCEN\xe2\x80\x99s continued attention will be\n                       necessary as FinCEN Query and Advanced Analytics users become\n                       more familiar with the system and may request changes,\n                       enhancements, and support. In our future audit work under the\n                       Congressional directive, we plan to assess FinCEN\xe2\x80\x99s efforts in\n                       meeting these BSA IT Mod challenges.\n\n\n\n5\n  The Broker Information Exchange project is to provide a mechanism to share case information for both\ninternal and external users. It also is to have the capability to allow (a) law enforcement agencies to\nsubmit requests through FinCEN to financial institutions for information about financial accounts and\ntransactions of persons or businesses that may be involved in terrorism or money laundering and\n(b) financial institutions to share information with one another through FinCEN to identify and report\nsuspicious money laundering or terrorist activities to the federal government.\n6\n  Advanced Analytics provides complex search and retrieval functionality such as statistical analyses for\nFinCEN internal users to support their analytical, law enforcement, and regulatory activities.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule     Page 3\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                      We also found that the level of program oversight by FinCEN and\n                      Treasury OCIO had not changed since our previous report, and we\n                      consider the level of oversight to be appropriate.\n\n                      We are recommending that FinCEN (1) when making changes to\n                      BSA IT Mod, communicate the changes to users; (2) continue to\n                      engage users to address their concerns and suggested\n                      enhancements to BSA IT Mod through the Data Management\n                      Council (DMC) 7 and periodically communicate the status of these\n                      suggestions to users; and (3) ensure that training and support is\n                      provided to internal and external BSA IT Mod users that addresses\n                      their business needs.\n\n                      In its management response, which is provided in appendix 3,\n                      FinCEN concurred with our recommendations. Its actions, both\n                      taken and planned, are summarized in the Recommendations\n                      section of this report and meet the intent of the recommendations.\n                      With regard to FinCEN Query, FinCEN noted that this new query\n                      system is a robust tool built using modern web search technology\n                      that allows users to search BSA data more comprehensively than\n                      before. As users learn how to use and leverage these new\n                      capabilities in their own environments, FinCEN management\n                      believes that it will continue to identify changes and enhancements\n                      they would like to see in the system. FinCEN will work with its\n                      stakeholders to identify and discuss ways to balance the respective\n                      business priorities of the user community and enhance FinCEN\n                      Query now and in years ahead.\n\nFindings\nFinding 1             BSA IT Mod Program Was within Budgeted Costs with\n                      One Milestone Remaining\n\n                      As of June 2013, we found that BSA IT Mod program was within\n                      budgeted costs and that all milestones were completed except for\n\n7\n  The DMC provides a forum for internal and external stakeholders to communicate their organizations\xe2\x80\x99\nviews to FinCEN. These members provide input on system and data-related topics including request for\nchanges, data-related issues, and system defects. According to FinCEN, the DMC will be involved in\nprioritizing enhancements and defects that will be addressed as part of future releases. In addition,\nFinCEN\xe2\x80\x99s Investment Review Board sets the priorities for FinCEN, which will also dictate what is\nincluded in each release.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 4\n                      But Users Suggest Enhancements (OIG-13-053)\n\x0c                          the Broker Information Exchange project. The schedule for this final\n                          project was modified to incorporate phases and adjusted from April\n                          2013 to April 2014. Additional time was required to define the\n                          project\xe2\x80\x99s requirements and align with the new organization and its\n                          priorities.\n\n                          Figure 1 provides a timeline of significant events in the BSA IT Mod\n                          program.\n\nFigure 1. Timeline of Significant Events in FinCEN\xe2\x80\x99s BSA System Modernization Efforts\n\n                                                                                                          April 2014\n                      January 2007 \xe2\x80\x93\n                                                                               January 2012                 Planned\n                     December 2009\n   July 2006                                          May 2010           FinCEN transitioned the         milestone and\n                   FinCEN developed IT\n     FinCEN                                           Design and          collection, processing,           system\n                   governance process,\n   terminated                                        development         and storage of all BSA          development\n                   stakeholders\xe2\x80\x99 needs,\n  BSA Direct*                                        phase started             data from IRS              completion\n                    and business case\n\n\n2006        2007           2008       2009           2010         2011          2012          2013        2014\n\n\n     November 2006                 January 2009             June 2011         November 2012           March 2013\n  FinCEN established IT                Program                FinCEN              FinCEN             FinCEN adjusts\n  modernization, vision             initiation and           realigned         completed roll        schedule of the\n   and strategy and set            planning phase            costs and         out of FinCEN              Broker\n      modernization                of BSA IT Mod              adjusts         Query to 7,500           Information\n        foundation                      started              schedule              users                Exchange\n                                                                                                          Project\n\nSource: OIG review of FinCEN data.\n*FinCEN terminated BSA Direct Retrieval and Sharing (BSA Direct) after concluding the project had no guarantee\nof success. We reviewed that failure and found that FinCEN poorly managed the predecessor project,\ninsufficiently defined functional and user requirements, misjudged project complexity, and established an\nunrealistic completion date. We also found that the Treasury OCIO did not actively oversee the project, as\nrequired by the Clinger-Cohen Act of 1996. Treasury Office of Inspector General (OIG), The Failed and Costly\nBSA Direct R&S System Development Effort Provides Important Lessons for FinCEN\xe2\x80\x99s BSA Modernization Program\n(OIG-11-057: Jan. 5, 2011).\n\n\n                          Final Project Date Extended\n\n                          As of June 30, 2013, FinCEN met all but one of the major BSA IT\n                          Mod milestones, Broker Information Exchange. In March 2013, the\n                          Treasury OCIO approved a FinCEN baseline change request (BCR)\n                          to split the program\xe2\x80\x99s final project, release 2 of the Broker\n                          Information Exchange, into two phases and to extend the\n                          completion date from April 2013 to April 2014. The BCR did not\n                          change the Broker Information Exchange project\xe2\x80\x99s budgeted costs.\n\n\n\n                          FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule              Page 5\n                          But Users Suggest Enhancements (OIG-13-053)\n\x0c                         FinCEN BSA IT Mod program management officials and MITRE\n                         officials told us that the completion date for Broker Information\n                         Exchange was extended because of FinCEN\xe2\x80\x99s reorganization\n                         implemented in June 2013. More time was necessary as the\n                         FinCEN personnel needed to define the project\xe2\x80\x99s requirements were\n                         transitioned into new roles within the organization. Additionally,\n                         because of the reorganization, time was needed to both revalidate\n                         existing requirements and ensure new requirements were captured.\n\n                         BSA IT Mod program officials told us that FinCEN's reorganization\n                         and the resulting change in management could pose additional risk\n                         to the Broker Information Exchange project. Specifically, there is a\n                         possibility that management may make changes to the project that\n                         were not originally planned, which could increase its cost and\n                         schedule.\n\n                         Table 1 displays the status of BSA IT Mod by project. Appendix 2\n                         provides descriptions for the various projects.\n\nTable 1: BSA IT Mod Project Schedule Status as of June 30, 2013\n                                                                             Actual or\n                                      Planned            Revised Planned     Planned           Project\n                                      Completion         Completion          Completion        Status at\n                                      Date at May        Date at June        Date at June      June\nProject                               20101              20112               20133             2013\nSOR\n      Release 1                       9/30/2011          12/1/2011           12/15/2011        Complete\n      Release 2                       6/30/2012          7/1/2012            10/16/2012        Complete\nShared Filing Services\n      Release 1                       9/30/2011          12/1/2011           12/15/2011        Complete\n      Release 2                       6/30/2012          7/1/2012            10/16/2012        Complete\nThird Party Data\n      Release 1                       9/30/2011          12/1/2011           12/15/2011        Complete\n      Release 2                       6/30/2012          7/1/2012            10/16/2012        Complete\nData Conversion                       12/31/2011         1/1/2012            1/6/2012          Complete\nE-Filing\n      Release 1                       6/30/2011          7/1/2011            7/1/2011          Complete\n      Release 2                       10/31/2011         7/1/2012            7/31/2012         Complete\nFinCEN Query\n      Release 1                       2/28/2012          6/1/2012            7/20/2012         Complete\n      Release 2                       9/30/2012          10/1/2012           11/16/2012        Complete\nAdvanced Analytics\n      Release 1                       10/31/2010         10/31/2010          10/31/2010        Complete\n      Release 2                       4/30/2011          4/30/2011           4/30/2011         Complete\n      Release 3                       7/31/2012          9/1/2012            8/1/2012          Complete\n      SCIF4                           n/a                12/1/2012           11/9/2012         Complete\nRegister User Portal                  3/31/2011          3/31/2011           3/31/2011         Complete\n\n\n                         FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule     Page 6\n                         But Users Suggest Enhancements (OIG-13-053)\n\x0cTable 1: BSA IT Mod Project Schedule Status as of June 30, 2013\n                                                                               Actual or\n                                     Planned              Revised Planned      Planned            Project\n                                     Completion           Completion           Completion         Status at\n                                     Date at May          Date at June         Date at June       June\nProject                              20101                20112                20133              2013\nIdentity/Access\nControl Management                   3/31/2011            3/31/2011            3/31/2011          Complete\nBroker Information Exchange\n     314A,B Release 1                5/31/2011            5/31/2011            5/31/2011          Complete\n     314A,B Release 2 Phase 1        12/31/2012           4/1/2013             8/1/20135          Ongoing\n     314A,B Release 2 Phase 26       n/a                  n/a                  4/1/20145          Ongoing\nAlerts                               9/30/2012            1/1/2013             1/4/2013           Complete\nBulk Data Dissemination\n      Release 1                      9/30/2011            3/1/2012             4/17/2012          Complete\n      Release 2                      6/30/2012            7/1/2012             10/16/2012         Complete\nInfrastructure & Portal Security\nDevelop and Test                     9/30/2010            9/30/2010            9/30/2010          Complete\n      Release 1                      3/31/2011            3/31/2011            3/31/2011          Complete\n      Release 2                      9/30/2011            9/30/2011            9/30/2011          Complete\n      Release 3                      6/30/2012            n/a7                 n/a7               n/a7\nSource: OIG analysis of FinCEN documentation.\n1\n  The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design\nand development of projects after receiving Office of Management and Budget approval.\n2\n  FinCEN submitted a BCR to the Treasury CIO to adjust selected project milestone schedule dates and realign\ncosts to keep the overall program on track. The baseline change was implemented in June 2011.\n3\n   Dates represent the actual completion dates if the project was completed, or the planned completion date as\nof the cutoff date of our review (June 30, 2013).\n4\n   A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold\ninformation concerning or derived from intelligence sources, methods, or analytical processes. FinCEN plans\nto provide its SCIF with advanced analytics capability, which was not part of the May 2010 initial plan but\n was part of the June 2011 BCR.\n5\n   A baseline change was implemented in March 2013 which adjusted the schedule completion dates. We plan to\ndetermine the status and report on this milestone in our next semiannual report pursuant to H. Rept. 112-331.\n6\n   Originally, the project did not have two phases.\n7\n   Not applicable - The work planned for Infrastructure release 3 was removed from the project and will be\ndone as part of BSA IT Mod\xe2\x80\x99s on-going operations and maintenance.\n\n\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule           Page 7\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                      During the audit period, FinCEN completed the Alerts project. The\n                      project was completed within budgeted costs and near schedule\xe2\x80\x94\n                      the milestone date was missed by only 3 days. FinCEN released\n                      Alerts to its internal users in a pilot program to test the\n                      effectiveness of the business rules developed. 8 FinCEN officials had\n                      not decided when, or to what extent, Alerts will be released to\n                      external users.\n\n                      BSA IT Mod Stayed within Budgeted Costs\n\n                      As of June 30, 2013, FinCEN reported that it spent approximately\n                      $96 million developing BSA IT Mod from its overall $120 million, 4-\n                      year planned budget. Not included in this amount was\n                      approximately $11.2 million in initial program planning costs, which\n                      we addressed in our March 2012 report. In that regard, FinCEN\xe2\x80\x99s\n                      actual program costs incurred through June 2013 were\n                      approximately $107.2 million. A breakdown by category of the\n                      actual costs incurred is provided in Table 2 below.\n\n                        Table 2: BSA IT Mod Costs as of June 30, 2013 (in millions)\n                        Category                                                            Amount\n                        Initial Planning                                                     $11.2\n                        Development\n                            Hardware and Software                                             10.3\n                            Contractor Services                                               44.2\n                            Other1                                                            14.7\n                            Operations and Maintenance2                                       20.3\n                        FinCEN staffing costs3                                                 6.5\n                           Total                                                            $107.2\n                        Source: OIG analysis of FinCEN data.\n                        1\n                          Other costs are comprised of (1) program management and program\n                        engineering performed by Deloitte and MITRE, (2) a contract office fee of\n                        4 percent for the Department of the Interior\xe2\x80\x99s National Business Center\n                        Acquisition Services Directorate for support of the BSA IT Modernization\n                        Program, and (3) a management reserve for potential additional work to be\n                        performed within the authorized work scope of the contract or to\n                        accommodate rate changes for future work.\n                        2\n                          Operations and Maintenance costs are comprised of hosting costs by the\n                        Treasury\xe2\x80\x99s Bureau of the Fiscal Service, hardware and software maintenance\n                        support, network support, application support, and the application help desk\n                        costs.\n                        3\n                          Staffing costs are estimated based on FinCEN\xe2\x80\x99s Exhibit 300 submissions to\n                        the Office of Management and Budget. FinCEN does not track the staffing\n                        costs associated with BSA IT Mod.\n\n\n\n8\n Alerts provides continuous monitoring of BSA Data and provides users electronic notifications of any\nmatches against a business rule such as the Federal Bureau of Investigation\xe2\x80\x99s most wanted list.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule          Page 8\n                      But Users Suggest Enhancements (OIG-13-053)\n\x0c                       FinCEN is funding BSA IT Mod through $119.9 million made\n                       available in its annual congressional appropriations and through\n                       supplemental funding from the Treasury Forfeiture Fund\n                       administered by the Treasury Executive Office of Asset Forfeiture\n                       (TEOAF). TEOAF provided funding for the BSA IT Mod Program\n                       consistent with its authority to provide funds for law enforcement-\n                       related expenditures. 9 Table 3 below identifies the program\xe2\x80\x99s\n                       funding sources by year.\n\n                        Table 3: BSA IT Mod Funding Sources as of June 30, 2013\n                        (in millions)\n                                                                    Treasury\n                                         Congressional             Forfeiture\n                        Fiscal Year      Appropriation                  Fund           Total\n                        2009                     $2.5                  $3.7            $6.2\n                        2010                     18.5                  11.7            30.2\n                        2011                     18.5                  11.5            30.0\n                        2012                     23.5                    6.5           30.0\n                        2013                     23.5                    0.0           23.5\n                          Total                 $86.5                 $33.4          $119.9\n                        Source: OIG analysis of FinCEN and TEOAF documentation.\n\n\n\nFinding 2              BSA IT Mod Is Generally Meeting User Needs But Users\n                       Suggest Further Enhancements\n\n                       BSA IT Mod continued its transition from the project development\n                       phase to the operations and maintenance phase. The final\n                       milestone project, Broker Information Exchange, will be tested as it\n                       approaches its April 2014 completion date. FinCEN Query users\n                       from law enforcement and regulatory agencies we interviewed\n                       were generally satisfied with the system, but they expressed\n                       concerns about some limitations they experienced with the tool and\n                       suggested enhancements. FinCEN analysts found that Advanced\n                       Analytics met their needs though they found it somewhat complex\n                       and believed additional training would be beneficial.\n\n9\n  The Treasury Forfeiture Fund, which is the receipt account for the deposit of non-tax forfeitures made\nas a result of law enforcement actions by participating Treasury and Department of Homeland Security\nagencies. The Treasury Forfeiture Fund was established under 31 U.S.C. \xc2\xa7 9703. The Fund can provide\nmoney to other federal entities to accomplish specific objectives for which the recipient entities are\nauthorized to spend money and toward other authorized expenses. Distributions from this Fund in\nexcess of $500,000 cannot be used until the Appropriations Committees from both houses of Congress\nare notified. TEOAF submits its planned release of funds to Congress annually. Those submissions\nthrough fiscal year 2012 included the funding provided for the BSA IT Mod program.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule    Page 9\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                       Performance Testing of BSA IT Mod Projects\n\n                       FinCEN continued its transition from project development to the\n                       operations and maintenance phase of BSA IT Mod. FinCEN\n                       conducted government acceptance testing of all BSA IT Mod\n                       projects during previous audit periods except for the final project,\n                       Broker Information Exchange, which was still in development.\n                       FinCEN plans to test Broker Information Exchange as it progresses\n                       toward completion, planned for April 2014.\n\n                       During this ongoing operations and maintenance effort, FinCEN\n                       consolidated all ongoing and new issues involving BSA IT Mod.\n                       This includes unresolved defects and change requests to be\n                       addressed in future project releases. FinCEN and MITRE considered\n                       all open defects to be of low severity, meaning that the defects\n                       would not significantly impair program performance or\n                       functionality. 10\n\n                       In our last audit, we reported that FinCEN Query had been\n                       experiencing service interruptions. According to FinCEN program\n                       management officials and program documentation, this issue was\n                       resolved in March 2013. The issue was created by a software\n                       defect and FinCEN worked with the software vendor to repair the\n                       problem. FinCEN officials told us that there have been no further\n                       issues caused by this defect.\n\n                       Users Largely Satisfied with FinCEN Query and Suggested\n                       Enhancements\n\n                       During our audit period, approximately 10,600 users from various\n                       law enforcement and regulatory agencies had access to FinCEN\n                       Query and made approximately 2.4 million queries. We interviewed\n                       a total of 46 users from 11 government agencies, consisting of\n                       7 regulatory agencies 11 (34 users) and 4 law enforcement agencies\n\n\n10\n   FinCEN logs and prioritizes all defects, requests for change and enhancements as well as necessary\nfixes to repair system functionality. As of June 25, 2013, FinCEN had 153 requests for changes and\nenhancements and 275 open defects, which FinCEN continued to address.\n11\n   The regulatory agencies were Federal Deposit Insurance Corporation, Office of the Comptroller of the\nCurrency, Board of Governors of the Federal Reserve System, National Credit Union Administration,\nIRS\xe2\x80\x99s Small Business/Self-Employed Unit, Security Exchange Commission, and Commodity Futures\nTrading Commission.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 10\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                       (12 users), 12 to determine their level of satisfaction with FinCEN\n                       Query. 13 The users we spoke with were largely satisfied. Users told\n                       us that the system provided quick results to simple searches,\n                       although some users said that more complex searches took longer.\n                       Users also told us that they liked FinCEN Query\xe2\x80\x99s features and\n                       functionality, such as the capability to import lists into the search\n                       criteria and to build more complex searches.\n\n                       Certain users we spoke with did identify some limitations with\n                       FinCEN Query, or cited the need for enhancements, as discussed\n                       below. FinCEN officials told us that they have begun to re-engage\n                       users through the DMC to address and prioritize these and other\n                       suggested enhancements. FinCEN wanted users to have time to\n                       become familiar with the system before re-engaging them on the\n                       data management process, which includes enhancement\n                       requests. 14\n\n                       Difficulties Importing BSA IT Mod Data\n\n                       Users with four regulators said that they were having difficulties\n                       importing the data from FinCEN Query into their internal systems\n                       because the format of the imported data was incompatible. The\n                       users told us that the inability to download data into their internal\n                       systems had impeded their ability to analyze the data for, among\n                       other things, trends.\n\n                       Users with two regulators told us that they had created tools to\n                       convert the BSA data downloaded from FinCEN Query to a format\n                       recognized by their internal systems, such as their bank\n                       examination systems. In this regard, one user told us that any\n                       changes FinCEN subsequently makes to BSA IT Mod could impact\n                       the regulator\xe2\x80\x99s ability to convert downloaded BSA data for use in\n\n\n12\n   The law enforcement agencies were IRS\xe2\x80\x99s Criminal Investigation Division, U.S. Immigration and\nCustoms Enforcement, U.S. Secret Service, U.S. Customs and Border Protection, and Massachusetts\nState Police.\n13\n   We also contacted the Department of Justice in the attempt to obtain feedback from BSA IT Mod\nusers within its various components agencies. However, the user interviews could not be coordinated in\ntime for this audit. We plan to continue reaching out to Justice for their feedback during our next audit\nof BSA IT Mod.\n14\n   During our audit period, FinCEN initiated a survey to approximately 8,000 users. It expects to finalize\nthe survey results in September 2013. We plan to review the results of the survey during the next BSA\nIT Mod audit.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule    Page 11\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                       its examination applications, and that it was therefore important\n                       that FinCEN communicate changes to the users.\n\n                       FinCEN Query Limitations\n\n                       Users with both regulators and law enforcement agencies said that\n                       FinCEN Query search results do not display all BSA IT Mod data\n                       fields, such as the narrative field on the Suspicious Activity Report\n                       (SAR). Additionally, one law enforcement user told us that certain\n                       data fields existing within BSA IT Mod could not be searched, such\n                       as \xe2\x80\x9cport of entry.\xe2\x80\x9d\n\n                       Users also told us that FinCEN Query search results were\n                       challenging to sort in Microsoft Excel. 15 Because of data format\n                       limitations, a search of a subject name for example could yield\n                       multiple subject names grouped in a single data cell which makes\n                       sorting and analysis difficult.\n\n                       Number of Downloadable Records is Limited\n\n                       Users with regulators told us that the number of data records that\n                       can be downloaded from FinCEN Query is limited to 10,000. 16\n                       Because of this limit, examiners have to divide downloads into\n                       multiple segments, which is time consuming and impedes the\n                       efficiency of their examinations because there can be upwards to\n                       400,000 records for large financial institutions.\n\n                       According to these users, the capability to download a larger\n                       number of records was a business requirement they had requested\n                       from FinCEN during the BSA IT Mod requirements phase. FinCEN\xe2\x80\x99s\n                       BSA IT Mod program management officials told us that the number\n                       of records was limited to avoid the system being slowed down by\n                       users downloading large numbers of records. FinCEN\xe2\x80\x99s BSA IT Mod\n                       Program manager stated that there has been little evidence that the\n                       majority of users would need to download more than 10,000\n                       records at one time.\n\n\n\n\n15\n  FinCEN Query search results are exportable only into Microsoft Excel for analysis.\n16\n  A data record is a single BSA report such as a Suspicious Activity Report and contains all the data\nassociated with the filing.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 12\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                       Agencies\xe2\x80\x99 Ability to Monitor or Limit Use of FinCEN Query\n\n                       Users told us that there is no mechanism to allow their BSA IT Mod\n                       administrators to monitor staff use of FinCEN Query or to limit\n                       access to particular features to prevent potential misuse of FinCEN\n                       Query and ensure that BSA data is safeguarded. FinCEN program\n                       management officials told us that they did not believe that this was\n                       an issue that needed to be resolved, but that they would make a\n                       concerted effort to better explain to BSA IT Mod administrators\n                       how to monitor and limit access to the new system. We plan to\n                       evaluate user monitoring controls and guidance provided by FinCEN\n                       during our next audit of BSA IT Mod.\n\n                       Opinions of FinCEN\xe2\x80\x99s Responsiveness to Inquiries Varied\n\n                       Overall, users were satisfied with FinCEN\xe2\x80\x99s Application Help Desk\xe2\x80\x99s\n                       responsiveness to their general inquiries concerning BSA IT Mod. 17\n                       However, some users told us that FinCEN could be more\n                       forthcoming with information concerning system changes or\n                       defects that had been communicated to FinCEN. These users told\n                       us, for example, that FinCEN did not communicate when or how\n                       certain issues had been or would be resolved.\n\n                       FinCEN program management officials told us that FinCEN needed\n                       time to resolve defects and incorporate system enhancements to\n                       address the users\xe2\x80\x99 problems.\n\n                       Additional Training Needed\n\n                       Almost all of the users we spoke with said that they could use\n                       more training on FinCEN Query. The users had primarily received\n                       online training and thought that more traditional, instructor-led\n                       training that was specifically geared for their business needs,\n                       would be helpful. 18\n\n\n17\n   Users reported their problems to FinCEN\xe2\x80\x99s Application Help Desk for resolution. The calls were listed\nin a log and assigned a \xe2\x80\x9cticket\xe2\x80\x9d number. If the issue could be resolved expediently or required urgent\nsystem fixes to restore functionality, FinCEN immediately notified the users to resolve their problems. If\nthe users\xe2\x80\x99 problems required more time to resolve, such as relating to a system defect or change not\nrequiring an immediate fix, FinCEN prioritized these for consideration in future system releases.\n18\n   Online training included live Webinars, training modules, job aides, and access to FinCEN Query\xe2\x80\x99s user\nmanual.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule    Page 13\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                       FinCEN Analysts Find Advanced Analytics Challenging To Use\n\n                       We spoke with nine internal FinCEN analysts about their\n                       experiences with FinCEN Query and Advanced Analytics. Overall,\n                       the users told us that the applications were meeting their needs,\n                       but those analysts who used Advanced Analytics found it\n                       challenging. Analysts told us that a more comprehensive\n                       understanding of both the application and underlying data structure\n                       is needed, as is continued assistance from Deloitte\xe2\x80\x99s support team.\n                       To address these challenges, analysts believed that additional\n                       training and experience with the tool was needed.\n\n                       Risks Remain to BSA IT Mod\xe2\x80\x99s Successful Completion\n\n                       Similar to what we reported in March 2013, there is a continued\n                       risk with the program\xe2\x80\x99s high-level of dependency between its\n                       component projects. The effect of programming changes in any\n                       component may require programming changes to other components\n                       of the system.\n\n                       There is also continued balance as to how the needs of various\n                       users will be considered, prioritized, and accommodated. In this\n                       regard, FinCEN\xe2\x80\x99s continued attention will be critical as FinCEN\n                       Query and Advanced Analytics users become more familiar with\n                       the system and may request changes, enhancements, and support\n                       must be determined.\n\nFinding 3              Oversight of BSA IT Mod Continued\n\n                       In our March 2013 report, we reported that FinCEN maintained\n                       oversight of BSA IT Mod. FinCEN Program Management Office\n                       officials continued to provide technical assistance of BSA IT Mod\n                       configuration management, as this was considered more important\n                       to the program\xe2\x80\x99s success than was conducting independent\n                       assessments. 19 We also found Treasury OCIO\xe2\x80\x99s monitoring of the\n                       program was appropriate based on the overall positive track record\n\n19\n   Configuration management is a process for establishing and maintaining consistency of a system\xe2\x80\x99s\nperformance and functional and physical attributes with its requirements, design, and operational\ninformation throughout its life. The process includes the detailed recording and updating of information\nthat describes an enterprise's hardware and software. It allows computer technicians to see what is\ncurrently installed, make a more informed decision about upgrades needed, and make sure any changes\nmade to one system do not adversely affect any of the other systems.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 14\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c                      by FinCEN managing the BSA IT Mod development effort. During\n                      our current audit, we found that the level of program oversight\n                      exercised by FinCEN and Treasury OCIO had not changed since our\n                      previous report. Also, not unexpectedly as the development effort\n                      moves to operations and maintenance, MITRE and Deloitte are\n                      providing less support to FinCEN\xe2\x80\x99s BSA IT Mod program\n                      management.\n\n                      FinCEN Oversight\n\n                      Deloitte continued to provide FinCEN with monthly BSA IT Mod\n                      program management reviews focused on the program status using\n                      Earned Value Management and provided a forum for discussing the\n                      risks and risk mitigation plans. 20 In the future, FinCEN program\n                      management reviews will focus on the remaining milestone project\n                      and related operations and maintenance work. We were told by\n                      MITRE officials that FinCEN is managing the program in an\n                      acceptable manner and that they had no significant concerns.\n\n                      Treasury OCIO Oversight\n\n                      In our previous audit, we found Treasury OCIO\xe2\x80\x99s monitoring of the\n                      program appropriate given the overall positive track record by\n                      FinCEN managing the BSA IT Mod development effort. During this\n                      audit, we found Treasury OCIO continues to monitor FinCEN\n                      monthly data submissions to identify potential issues and performs\n                      macro-level reviews including trend analysis. The office also\n                      implemented quarterly investment status meetings with FinCEN,\n                      and plans to institute a new practice of conducting a post\n                      implementation review upon the program\xe2\x80\x99s completion. 21\n\n                      Similar to what we reported in March 2013, Treasury OCIO\n                      officials told us that the program was performing well, they were\n                      satisfied with the level and quality of BSA IT Mod program data\n                      provided by FinCEN, and they were satisfied with FinCEN\xe2\x80\x99s\n\n20\n   Earned Value Management measures the value of work accomplished in a given period. Differences in\nthese values are measured in both cost and schedule variances. Explanations must be provided for\nvariances of 10 percent and are subject to corrective action plans, BCRs, or termination. The use of\nEarned Value Management satisfies Office of Management and Budget requirements on programs\nclassified as major acquisitions as well IT projects. FinCEN contracted with MITRE to provide an\nindependent validation to ensure the accuracy of Earned Value Management data.\n21\n   The post implementation review will evaluate whether the system works as originally planned.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 15\n                      But Users Suggest Enhancements (OIG-13-053)\n\x0c                       management of the program. Treasury OCIO changed their overall\n                       program rating on the IT Dashboard from \xe2\x80\x9cmedium risk\xe2\x80\x9d to\n                       \xe2\x80\x9cmoderately low risk\xe2\x80\x9d because the BSA IT Mod program was close\n                       to completion and there is a less stringent schedule for the final\n                       project.\n\n                       As we reported in our previous audits of BSA IT Mod, the Treasury\n                       CIO is a member of both the BSA IT Mod Modernization Executive\n                       Group and Executive Steering Committee, which meets on a\n                       quarterly basis or when a major decision or approval is sought.\n                       During this audit, Treasury OCIO governance was primarily\n                       conducted through Executive Steering Committee e-mails related to\n                       the closure of the Alerts project milestone and the BCR to divide\n                       the Broker Information Exchange into two phases and to extend the\n                       completion date.\n\n                       In summary, we believe that the oversight by FinCEN management\n                       and Treasury OCIO during this audit period was appropriate given\n                       the overall positive track record by FinCEN in managing its BSA IT\n                       Mod development effort. We plan to continue to review program\n                       oversight exercised in our future audits of the program.\n\n\nRecommendations\n                       We recommend the FinCEN Director:\n\n                       1. When making changes to BSA IT Mod, communicate the\n                          changes to users.\n\n                          Management Response\n\n                          Representatives from federal regulatory and law enforcement\n                          agencies that use FinCEN Query participate in FinCEN monthly\n                          DMC meetings. FinCEN will continue to communicate system\n                          changes and release updates at the monthly DMC meetings, as\n                          well as continue to make announcements and information\n                          available via the FinCEN Portal. 22\n\n\n\n22\n  The FinCEN Portal is the gateway for authorized federal, state, and local law enforcement and\nregulatory users to access BSA data, reports, secure e-mail, training, and help resources.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule    Page 16\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0c   OIG Comment\n\n   The above commitment by FinCEN meets the intent of our\n   recommendation.\n\n2. Continue to engage users to address their concerns and\n   suggested enhancements to BSA IT Mod through the DMC and\n   periodically communicate the status of these suggestions to\n   users.\n\n   Management Response\n\n   FinCEN uses the DMC as the forum to discuss the business\n   impacts of system issues and suggested changes or\n   enhancements raised by users. FinCEN will continue to use the\n   DMC in this manner to inform the Investment Review Board as\n   it prioritizes work efforts throughout operations and\n   maintenance.\n\n   OIG Comment\n\n   The above commitment by FinCEN meets the intent of our\n   recommendation.\n\n3. Ensure that training and support is provided to internal and\n   external BSA IT Mod users that address general as well as\n   unique business needs.\n\n   Management Response\n\n   For the FinCEN Query tool, FinCEN currently has modular, web-\n   based training, online help, a quick reference guide, and 10 job\n   aids available to users on the FinCEN Portal. FinCEN has held 26\n   webinars and 48 in-person training courses, in addition to\n   various hands-on training during separate inspection visits. For\n   the Advanced Analytics tool used by FinCEN analysts, FinCEN\n   conducted instructor-led training prior to deployment. In\n   addition, FinCEN brought in the vendor for 11 onsite training\n   courses and conducted approximately 12 brown bag sessions to\n   demonstrate new capabilities and respond to questions. FinCEN\n   does recognize the need for additional educational support to its\n   user community and commits to developing a comprehensive,\n   sustainable training plan that targets external users, as well as\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 17\nBut Users Suggest Enhancements (OIG-13-053)\n\x0c   FinCEN analysts. The estimated completion date is February\n   2014.\n\n   OIG Comment\n\n   The above actions taken and planned by FinCEN meet the intent\n   of our recommendation.\n\n                            ******\nWe appreciate the cooperation and courtesies extended to our staff\nduring the audit. If you wish to discuss the report, you may\ncontact me at (617) 223-8640 or Mark Ossinger, Audit Manager,\nat (617) 223-8643. Major contributors to this report are listed in\nappendix 4.\n\n/s/\nSharon Torosian\nAudit Director\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 18\nBut Users Suggest Enhancements (OIG-13-053)\n\x0c                        Appendix 1\n                        Objectives, Scope, and Methodology\n\n\n\n\n                        Pursuant to a Congressional directive, 23 this is the fourth in a series\n                        of audits of the Financial Crimes Enforcement Network's (FinCEN)\n                        Bank Secrecy Act (BSA) Information Technology Modernization\n                        Program (BSA IT Mod). Our objective was to determine if FinCEN is\n                        (1) meeting cost, schedule, and performance benchmarks for this\n                        program and (2) providing appropriate oversight of contractors. In\n                        addition, we evaluated any deviations from FinCEN\xe2\x80\x99s plan, and\n                        determined how the system was meeting the users\xe2\x80\x99 needs. We\n                        determined the status of the program\xe2\x80\x99s cost, schedule, and\n                        performance through June 30, 2013.\n\n                        To accomplish our objective, we interviewed officials with FinCEN,\n                        Department of the Treasury\xe2\x80\x99s Office of the Chief Information\n                        Officer (OCIO), and FinCEN\xe2\x80\x99s contractors. We also interviewed\n                        various BSA IT Mod users internal and external to FinCEN. In\n                        addition, we reviewed applicable program documentation. We\n                        performed our fieldwork from April 2013 through July 2013.\n\n                        At FinCEN, we interviewed:\n\n                        \xe2\x80\xa2   The Chief Information Officer (CIO), Chief Technology Officer\n                            (CTO), and the BSA IT Mod Program Manager to obtain an\n                            update on BSA IT Mod, cost and schedule concerns, project\n                            testing conducted and defect resolution, strategies employed,\n                            and overall progress of the program.\n\n                        \xe2\x80\xa2   The Assistant Director and staff for FinCEN\xe2\x80\x99s Project\n                            Management Office to obtain an understanding of their level of\n                            involvement with program oversight and to gain their\n                            perspective on the program\xe2\x80\x99s status in terms of cost, schedule,\n                            and performance.\n\n                        \xe2\x80\xa2   The project managers, project leaders, and contracting officer\n                            representatives responsible for each BSA IT Mod project to\n                            obtain an understanding of their perspective, level of\n                            involvement, schedule and performance concerns, and overall\n                            progress of their respective projects.\n\n\n\n23\n     House Report (H. Rept.) 112-331\n\n\n                        FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 19\n                        But Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\n\xe2\x80\xa2   The Acting Associate Director for Intelligence to obtain an\n    understanding of the extent to which FinCEN analysts use\n    Advanced Analytics.\n\nExternal to FinCEN, we interviewed the following officials:\n\n\xe2\x80\xa2   Deloitte LLP\xe2\x80\x99s Managing Director and Deloitte\xe2\x80\x99s Program\n    Manager and Analyst for Earned Value Management for BSA IT\n    Mod to obtain an update on their perspective of BSA IT Mod\n    and ascertain the program\xe2\x80\x99s status. These interviews were\n    conducted at the contractor\xe2\x80\x99s office in Rosslyn, Virginia.\n\n\xe2\x80\xa2   MITRE representatives to obtain an update of MITRE\xe2\x80\x99s role as\n    the federally funded research and development contractor, its\n    level of involvement with the program, as well as issues,\n    concerns, and other significant matters observed. These\n    interviews were conducted at a MITRE office in McLean,\n    Virginia.\n\n\xe2\x80\xa2   The Treasury OCIO\xe2\x80\x99s Director of IT Capital Planning for an\n    update on OCIO\xe2\x80\x99s role in overseeing BSA IT Mod, as well as\n    issues, concerns, and other significant matters.\n\n\xe2\x80\xa2   The Internal Revenue Service\xe2\x80\x99s (IRS) Modernization, Information\n    Technology and Security Services Division to identify any\n    concerns they may have regarding BSA IT Mod.\n\n\xe2\x80\xa2   U.S. Customs and Border Protection officials to determine the\n    status of agency system upgrade that would allow the agency\n    to receive bulk BSA data directly from FinCEN instead of IRS\xe2\x80\x99\n    legacy system for BSA data.\n\nWe interviewed a total of 46 BSA IT Mod users. The individuals\nselected for interview were among the more frequent users of BSA\nIT Mod according to FinCEN documentation. Our interviews\nincluded users with seven regulatory agencies (34 users) and four\nlaw enforcement agencies (12 users) to understand how they use\nFinCEN Query and if it was meeting their needs. The regulatory\nagencies represented by the users interviewed were Federal\nDeposit Insurance Corporation, Office of the Comptroller of the\nCurrency, Federal Reserve Board, National Credit Union\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 20\nBut Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nAdministration, IRS\xe2\x80\x99s Small Business/Self-Employed Unit, Security\nExchange Commission, and Commodity Futures Trading\nCommission. Law enforcement agencies represented by the users\ninterviewed were IRS Criminal Investigation Division, U.S.\nImmigration and Customs Enforcement, U.S. Secret Service, and\nMassachusetts State Police. We also interviewed 9 FinCEN\nanalysts to understand how they used Advanced Analytics and if it\nwas meeting their needs.\n\nWe reviewed FinCEN program-related information, including:\nmanagement reports; minutes from executive, management, and\ntechnical meetings; planning documentation; program and project\nlevel documentation; and FinCEN presentations to internal and\nexternal oversight groups (e.g., Congress, Office of Management\nand Budget, Treasury OCIO, BSA IT Mod Modernization Executive\nGroup and Executive Steering Committee, and FinCEN\nmanagement).\n\nWe reviewed program management briefings and status reports,\ninternal and external program performance assessment reports, and\nrelated documentation to assess program performance status,\nrisks, and issues.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 21\nBut Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 2\nAdditional Background Information on BSA IT Mod\n\n\nProjects Included\n\nThe Bank Secrecy Act (BSA) Information Technology Modernization\nProgram (BSA IT Mod) is made up of multiple projects with specific\ncomponents. The projects are summarized below. All projects\nexcept for Broker Information Exchange were completed as of\nJune 30, 2013.\n\n\xe2\x80\xa2   System of Record (SOR) provides data storage and architecture\n    for BSA data for 11 years of BSA data.\n\n\xe2\x80\xa2   Shared Filing Services provides for validation of BSA data with\n    external data sources, such as validation of addresses to U.S.\n    Postal Service data.\n\n\xe2\x80\xa2   Third Party Data provides the SOR additional BSA data through\n    external data sources such as the financial institution\n    identification number assigned by the Federal Reserve.\n\n\xe2\x80\xa2   Bulk Data Dissemination is used for the distribution of large\n    quantities of BSA data to external users.\n\n\xe2\x80\xa2   Data Conversion converted 11 years of BSA data from an\n    Internal Revenue Service legacy system to the FinCEN\xe2\x80\x99s new\n    SOR.\n\n\xe2\x80\xa2   BSA E-Filing is used by BSA filers to submit all required\n    electronic filing of BSA forms to FinCEN.\n\n\xe2\x80\xa2   FinCEN Query is a tool designed to improve authorized users\xe2\x80\x99\n    ability to access and analyze BSA data. The tool is used by\n    FinCEN internal users and by registered external users and\n    customers to retrieve and analyze BSA data. The tool supports\n    traditional structured BSA data queries, and provides narrative\n    search capabilities and options to coordinate and collaborate\n    with users on queries performed.\n\n\xe2\x80\xa2   Advanced Analytics provides complex search and retrieval\n    functionality for FinCEN internal users to support their\n    analytical, law enforcement, and regulatory activities. The tool\n    provides advanced analytical capabilities such as geospatial,\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 22\nBut Users Suggest Enhancements (OIG-13-053)\n\x0c                         Appendix 2\n                         Additional Background Information on BSA IT Mod\n\n\n                             statistical analysis, social networking, semantic interchange,\n                             and visualization capabilities.\n\n                         \xe2\x80\xa2   Register User Portal/Identity Management/Access Control\n                             Management provides the means for common user interface and\n                             authentication process through which both internal and external\n                             authorized users gain access to all future BSA IT Mod\n                             applications.\n\n                         \xe2\x80\xa2   Infrastructure provided the design, development, procurement,\n                             and implementation of the development and test environments,\n                             storage area network(s), and disaster recovery capabilities\n                             required to support BSA IT Mod projects.\n\n                         \xe2\x80\xa2   Broker Information Exchange provides the Financial Intelligence\n                             Repository, and 314A and 314B components. The Financial\n                             Intelligence Repository project is to replace FinCEN\xe2\x80\x99s case\n                             management systems\xe2\x80\x94FinDB for investigative cases, and the\n                             Customer Management System for compliance cases. The first\n                             release of the Financial Intelligence Repository project is to\n                             create the Financial Intelligence Repository and incorporates\n                             SharePoint (a Microsoft software application for sharing\n                             information) as a mechanism to share case information for both\n                             internal and external users. The 314A component allows law\n                             enforcement agencies to submit requests through FinCEN to\n                             financial institutions for information about financial accounts\n                             and transactions of persons or businesses that may be involved\n                             in terrorism or money laundering. The 314B component allows\n                             financial institutions to share information with one another\n                             through FinCEN to identify and report suspicious money\n                             laundering or terrorist activities to the federal government.\n                             314A and 314B refer to Section 314 of the USA Patriot Act\n                             that requires FinCEN of establish these functionalities. 24 The\n                             project is ongoing as of June 2013.\n\n                         \xe2\x80\xa2   Alerts provides for an automatic alert to be sent to FinCEN\n                             analysts about suspicious activities reported by filers based on\n                             pre-defined criteria.\n\n\n\n24\n     Section 314 of the USA Patriot Act is established under 31 U.S.C. \xc2\xa7 5311.\n\n\n                         FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 23\n                         But Users Suggest Enhancements (OIG-13-053)\n\x0c                       Appendix 2\n                       Additional Background Information on BSA IT Mod\n\n\n                       Contractors Engaged by FinCEN\n\n                       In March 2008, FinCEN awarded a 5-year indefinite delivery,\n                       indefinite quantity (IDIQ) contract to BearingPoint, Inc., to support\n                       a full range of information technology services, custom\n                       applications, maintenance support, and infrastructure support\n                       necessary to implement the FinCEN IT operational objectives.\n                       Numerous task orders have been issued against the contract\n                       including those for the BSA IT Mod program. 25 The contract was\n                       subsequently transferred to Deloitte Consulting, LLP (Deloitte). 26\n                       The contract ceiling is a maximum of $144 million and a minimum\n                       of $1 million over the contract\xe2\x80\x99s 5-year life. FinCEN also contracted\n                       with MITRE Corporation (MITRE) at a cost of approximately $1.5\n                       million to provide management guidance, coordination, and\n                       evaluation support for BSA IT Mod. 27 MITRE is a subject matter\n                       expert on program and project management, and BSA IT Mod\n                       business capabilities.\n\n                       FinCEN is using the Acquisitions Services Directorate of the U.S.\n                       Department of the Interior as the contract office to administer the\n                       contract. FinCEN chose this office because of its prior experience\n                       handling large, complex procurements. At the time of our audit,\n                       FinCEN was transitioning away from using Acquisitions Services\n                       Directorate for new contracting services related to BSA IT Mod to\n                       Treasury\xe2\x80\x99s Bureau of the Fiscal Service Administrative Resource\n                       Center. This transition is expected to be complete by December\n                       2013.\n\n25\n   An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. This\ntype of contract is used when it cannot be predetermined, above a specified minimum, the precise\nquantities of supplies or services that the government will require during the contract period. IDIQ\ncontracts are most often used for service contracts and architect-engineering services. An IDIQ contract\nis flexible, especially when not all the requirements are known at the start of a contract and is\nconducive to a modular approach, which would be one with phases or milestones.\n26\n   The IDIQ contract was transferred from BearingPoint, Inc. to Deloitte on October 1, 2009 after\nDeloitte purchased substantially all of the assets of Bearing Point, Inc., Public Service Division.\n27\n   MITRE is a not-for-profit organization chartered to work in the public interest with expertise in\nsystems engineering, information technology, operational concepts, and enterprise modernization.\nAmong other things, it manages federally funded research and development centers, including one for\nIRS and U.S. Department of Veterans Affairs (the Center for Enterprise Modernization). Under\nTreasury\xe2\x80\x99s existing contract with MITRE, Treasury and its bureaus, with permission of the IRS sponsor,\nmay contract for support in the following task areas: strategic management, technical management,\nprogram and project management, procurement, and evaluation and audit to facilitate the modernization\nof systems and their business and technical operation.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 24\n                       But Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 25\nBut Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 3\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 26\nBut Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 4\nMajor Contributors to this Report\n\n\n\n\nBoston Office\n\nMark Ossinger, Audit Manager\nKenneth O\xe2\x80\x99Loughlin, Audit Manager\nRichard Wood, Auditor\n\nWashington, D.C.\n\nLarissa Klimpel, Referencer\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 27\nBut Users Suggest Enhancements (OIG-13-053)\n\x0cAppendix 5\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n   Deputy Secretary\n   Under Secretary for Terrorism and Financial Intelligence\n   Chief Information Officer\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n       Group\n\nFinancial Crimes Enforcement Network\n\n   Director\n\nOffice of Management and Budget\n\n   OIG Budget Examiner\n\nU.S. Senate\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\nU.S. House of Representatives\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Was within Budget and on Schedule   Page 28\nBut Users Suggest Enhancements (OIG-13-053)\n\x0c"